NSX Experience Day Axians GNS AG 26. Nov. 2016 Christoph Altherr NSX Specialist SE caltherr@vmware.com 2015 2014 VMware Inc. All rights reserved. 1
Agenda Lecture 01 - Introduction to NSX (30min) Lecture 02 - NSX Architecture (30min) Lab 01-15 Min - HOL-1803-05-NET, Module 1 NSX Manager Installation and Configuration Lecture 03 - Logical Switching and Routing (60min) Lab 02-30 Min - HOL-1803-05-NET, Module 2 Logical Switching Lab 03-60 Min - HOL-1803-05-NET, Module 3 Logical Routing Lecture 04 - Introduction to NSX Security (30min) Lecture 05 - Getting Started with Security and NSX (15min) Lab 04 45 Min HOL-1803-05-NET, Module 4 Service Composer and Distributed Firewall Overview Lecture 06 - Policy Creation (15min) Lab 05 30 Min HOL-1803-05-NET, Module 5 Intelligent Grouping Lab 06 45 Min HOL-1803-05-NET, Module 6 User Based Security with a Jump Box Lab 07 30 Min HOL-1803-05-NET, Module 7 Application Rule Manager Lecture 07 - Operations & Visibility (30min) Lab 08 45 Min HOL-1829-01-NET, Module 2 360 Visibility across Virtual and Physical
WLAN SSID:GNS-Guest WebRedirection: User / Pwd gemäss Voucher 3
VMware Hands-On Labs (HOL) NSX Security Experience Day Labs http://labs.hol.vmware.com, HOL Workshops: http://labs.hol.vmware.com/hol/catalogs/catalog/757 4
VMware Hands-On Labs (HOL) Alternative Access Option NSX Security Experience Day Labs http://web.hol.vmware.com/landingpages/index.aspx?id=socialab 5
VMware Hands-On Labs (HOL) Enroll Lab NSX Security Experience Day Labs http://labs.hol.vmware.com/hol/catalogs/lab/4047 6
VMware Hands-On Labs (HOL) Start Lab NSX Security Experience Day Labs Lab: http://labs.hol.vmware.com/hol/catalogs/lab/4047, Doc: http://docs.hol.vmware.com/hol-2018/hol-1803-05-net_pdf_en.pdf 7
VMware Hands-On Labs (HOL) Extend remaining lab time 8
Introduction to NSX
In short, software is eating the world. Marc Andreessen, General Partner, Andreessen Horowitz and Netscape co-founder
The Data Center Networking Challenge There has been a lot of innovation and virtualization in the data center. Except for one area Compute Storage Networking 11
The Data Center Networking Challenge The lack of networking virtualization is holding back your ability to: Keep up with the pace of business Secure your data centers Control cost Compute Storage Networking 12
The Emerging Cloud Networking Challenge Public clouds solve some of the limitations of data centers, but they can also introduce new networking and security challenges: Multiple clouds Inconsistent tools and policies Different skillsets
Network Virtualization Solves These Problems Abstracting networking and security from the underlying infrastructure Data center Cloud Branch office IoT
NSX Vision: Driving NSX Everywhere Managing security and connectivity for many heterogeneous end points Cloud Branch offices/edge computing/iot New app frameworks On-premises data center End users
NSX Value Proposition vswitch Hypervisor vswitch Hypervisor Virtualization layer Network, storage, compute
NSX Value Proposition Routing Switching Load balancing Firewalling Routing Switching Load balancing Firewalling Network and security services vswitch In-hypervisor (on-prem) Hypervisor as a Service (cloud) Hardware/Cloud independent
NSX Value Proposition Workloads Routing Switching vswitch Load balancing Firewalling Routing Switching Load balancing Firewalling NSX Platform Hypervisor Virtualization layer Network, storage, compute
Ground-breaking use cases Enterprises can often justify the cost of NSX through a single use case 20
VMware NSX is to networking what VMware ESXi is to compute.
NSX Architecture
Physical Network Logical Network NSX Architecture and Components (Optional) Cloud Consumption Self-service portal vrealize Automation, OpenStack, vcloud Director, Custom CMP Management plane vcenter Server NSX Manager Single configuration portal REST API entry-point Control plane NSX Controller NSX Edge Manages logical networks Control plane protocol Separation of control and data plane Controller is not in the data path Distributed Services Data plane VDS Hypervisor Logical Switch Distributed Logical Router Firewall HW VTEP High-performance data plane Scale-out distributed forwarding model Flexibility for connecting logical networks to physical HV Kernel Modules
NSX Management Plane Components vra/openstack/custom vsphere APIs NSX REST APIs Management plane vcenter 1:1 NSX Manager Third-party management console Single pane of glass NSX Manager vsphere plugin NSX Manager Runs as a virtual machine Provisioning and management of network and network services VXLAN preparation Logical network consumption Network services configuration
NSX Control Plane Components vsphere cluster NSX controllers vsphere HA DRS with anti-affinity Properties Virtual form factor (4 vcpu, 4GB RAM) Data plane programming Control plane isolation Benefits Scale out High availability VXLAN - no multicast ARP suppression ESXi Host agent Data-path kernel modules
NSX Data Plane Components Data plane vsphere components NSX Edge service gateways HW VTEP Security VXLAN DLR Security VXLAN DLR Security VXLAN DLR SECURITY SECURITY SECURITY Compute clusters Edge clusters and HW VTEP (physical-to-virtual) ESXi Hypervisor kernel modules (VIBs) VDS Logical switch Distributed logical router VDS Distributed firewall vsphere distributed switch VMkernel modules Logical switching (VXLAN) Distributed logical router Distributed firewall VM form factor highly available dynamic routing: OSPF, BGP L3-L7 services: NAT, DHCP, load balancer, VPN, firewall ToR switch Bandwidth and physical ports scale-out VLANs for physical workloads local to a rack
NSX Component Interaction - Deployment and Configuration 2 Register with vcenter NSX Manager 1 Deploy NSX Manager Prepare hosts 4 vcenter Deploy NSX controllers 3 NSX Controller NSX Edge Services GW 5 Configure and deploy NSX Edge gateway(s) and network services vsphere cluster 1 vsphere cluster 2 vsphere cluster n
One time Recurring Deploying and Configuring VMware NSX Deploy VMware NSX Consumption NSX Mgmt NSX Edge Programmatic virtual network deployment Virtual infrastructure Component deployment Logical networks Deploy NSX manager Deploy NSX controller cluster Logical network/security services Deploy logical switches per tier Preparation Host preparation Deploy distributed logical router or connect to existing Logical network preparation Security policy and network services
Lab 01 NSX Manager Installation and Configuration Lab time: 15 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 11 through 17 Do not END your lab, in fact extend it
Logical Switching
Physical view VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 31
Physical view VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch 192.168.0.50 192.168.100.50 192.168.200.50 Physical network 32
Traffic Flow VXLAN-backed VDS In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch When these VMs communicate, a VXLAN overlay is established between the two hosts vsphere distributed switch (VDS) NSX enables multicast free VXLAN with the help of the NSX controllers Host A Host B VXLAN encapsulation at the kernel level in the ESXi host VXLAN overlay IP fabric VTEP = VXLAN Tunnel End Point 33
Traffic Flow VXLAN-backed VDS Assume VM1 sends some traffic to VM2: L2 frame L2 frame L2 frame 1 VM1 sends L2 frame to local VTEP IP/UDP/VXLAN 2 VTEP adds VXLAN, UDP and IP headers 3 Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) 4 Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 VXLAN overlay IP fabric 34
Traffic Flow VXLAN-backed VDS L2 frame L2 frame L2 frame IP/UDP/VXLAN vsphere distributed switch (VDS) Host A Host B VXLAN overlay IP fabric 35
Traffic Flow Troubleshooting VXLAN-backed VDS Assume VM1 sends some traffic to VM2: 1 VM1 sends L2 frame to local VTEP L2 frame IP/UDP/VXLAN 2 3 VTEP adds VXLAN, UDP and IP headers Physical transport network forwards as a regular IP packet vsphere distributed switch (VDS) IP/UDP/VXLAN 4 Original L2/L3/L4 headers Destination hypervisor VTEP deencapsulates frame Host A Host B 5 L2 frame delivered to VM2 Hash VXLAN overlay IP fabric UDP Source Port VMworld: NET8241 Monitoring and Troubleshooting NSX with vrealize Network Insight NSX-V End-to-End Traceflow Visualization Tool: https://github.com/vmware/nsx-traceflow-pv 36
Logical Routing
NSX Logical Routing Component Edge Services Gateway On/Off-Ramp connectivity between logical and physical. VPN NSX Edge Services Gateway - Optimized for N-S Routing Static, OSPF, BGP - Network Services Firewall NAT Load Balancing VPN DHCP DNS 38
NSX Logical Routing Component Distributed Logical Router Optimized for E-W Hypervisor Kernel Modules (VIBs) ESXi Instantiated on ESX hosts LIFs are defined on the Distributed Router to handle VM default gateway traffic Distributed logical router LIF1 LIF2 LIF3 DLR Instance DLR Control VM Multiple LIFs per DLR instance Multiple DLR instances to isolate separate tenant domains DLR Control VM peers with the Edge Service Gateway and exchanges routing information
OSPF, BGP Peering NSX logical Routing Components Interaction External network 1 Dynamic routing protocol is configured on the logical router instance NSX Edge (Acting as next hop router) 2 Controller pushes new logical router configuration including LIFs to ESXi hosts 192.168.10.1 Control DLR Control VM 1 NSX Mgr 3 OSPF/BGP peering between the NSX Edge and logical router control VM Data path 6 192.168.10.3 3 Control 4 Learnt routes from the NSX Edge are pushed to the controller for distribution 4 192.168.10.2 DLR 5 2 Controller Cluster 5 6 Controller sends the route updates to all ESXi hosts Routing kernel modules on the hosts handle the data path traffic 172.16.10.0/24 172.16.20.0/24 172.16.30.0/24 40
Distributed Routing Traffic Flow Same Host DA: 172.16.2.10 SA: 172.16.1.10 DA: vmac SA: MAC1 1 L2 172.16.1.10 VM1 MAC1 IP 4 Payload 172.16.2.10 VM2 MAC2 VXLAN 5002 VXLAN 5001 vsphere Host vsphere Distributed Switch 10.10.10.10/24 LIF1 LIF2 vmac Internal LIFs 20.20.20.20/24 DLR 3 LIF2 ARP Table VM IP VM MAC LIF1 : 172.16.1.1 LIF2 : 172.16.2.1 vsphere Host DLR 2 172.16.2.10 MAC2 Host 1 Host 2 Routing Table Destination Interface Mask Gateway Connect 172.16.1.0 255.255.255.0 0.0.0.0 Direct 172.16.2.0 255.255.255.0 0.0.0.0 Direct Transport Network
Lab 02 Logical Switching Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 19 through 63 Do not END your lab, in fact extend it
Lab 03 Logical Routing Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 65 through 233 Do not END your lab, in fact extend it
Introduction to NSX Security
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities When threats breach the perimeter, it s hard to stop lateral spread MICRO-SEGMENTATION Low priority systems are often targeted first. INTERNET Attackers can move freely around the data center. NETWORK PERIMETER Attackers then gather and exfiltrate the valuable data. 46
What if you could Enforce security at the most granular level of the data center? MICRO-SEGMENTATION Every VM can have: INTERNET Individual security policies Individual firewalls NETWORK PERIMETER 47
What if you could Maintain that level of consistent security across an entire application MICRO-SEGMENTATION Modern apps today are distributed in nature Security needs to reach beyond an individual VM WEB DB Each VM is typically part of a larger application
Better security, simplified policy Define a policy using workload characteristics, not IPs and ports MICRO-SEGMENTATION An NSX security policy can be based on things like: Operating system Machine name Services Application tier Regulatory requirements Security posture DATA CENTER PERIMETER PCI Scope Creating and managing policies becomes a whole lot easier
Non-NSX Loosely chained/attached firewalling Can easily be bypassed by accident or willful VM4 L2 FW VM1 VM2 VM3 VDS dvpg2 (Unsecured-Net) VDS dvpg1 (Secured Net) vsphere Distributed Switch Physical network Default GW Default GW 50
VMware NSX Micro-Segmentation VMs in dvpgs (distributed virtual Port Group) VM4 VM5 VM6 VM1 VM2 VM3 VDS dvpg2 (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS dvpg1 (VLAN-backed) vsphere Distributed Switch Physical network 51
VMware NSX Micro-Segmentation VMs in LSs (Logical Switches) VM4 VM5 VM6 VM1 VM2 VM3 VDS NSX dvpg2 LS2 (VXLAN-backed) (VLAN-backed) 172.16.10.11 172.16.10.12 172.16.10.13 VDS NSX dvpg1 LS1 (VXLAN-backed) (VLAN-backed) vsphere Distributed Switch 192.168.0.50 192.168.100.50 192.168.200.50 Physical network 52
NSX Distributed Firewalling Micro-segmentation Finance HR Engineering Perimeter firewall DMZ Inside firewall App DB Each VM can now be its own perimeter Policies align with logical groups Prevents threats from spreading Services AD NTP DHCP DNS CERT VMworld: SEC8348 Deploying Security in a Brownfield Environment 53
NSX Distributed Firewalling Micro-segmentation Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-microsegmentation.pdf 54
Security Group "in action"
DFW Centralized Management Identity - User identity - Groups VC containers - Datacenters & Clusters - Portgroups - VXLAN Services - Protocol - Ports - Custom Choice of PEP - Clusters - VXLAN - vnics IPv6 compliant - IPv6 address - IPv6 sets VM containers - VM names - VM tags - VM attributes IPv6 Services 56 34
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities Proliferation of devices accessing the data center, yet not all are secured SECURE END USER MOBILE WORKERS HAVE BROAD ACCESS TO DATA CENTER RESOURCES INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 58
What if you could Extend micro-segmentation out to secure the end user device SECURE END USER MICRO-SEGMENTATION LIMITS DEVICE ACCESS TO ONLY WHAT IS NEEDED INTERNET VDI at a branch or remote location Mobile device in the field or at home NETWORK PERIMETER Laptop or desktop at work or home 59
Security with NSX Micro-segmentation Secure end user DMZ Anywhere
Our security realities Isolating physical infrastructure for security is effective, but inefficient DMZ ANYWHERE DATA CENTER Manual processes Inefficient use of pooled resources PHYSICAL DMZ CORE INFRASTRUCTURE High CapEx investment 61
What if you could Pool your physical infrastructure resources DMZ ANYWHERE DATA CENTER CORE INFRASTRUCTURE 62
What if you could So that you could provide isolation at the hypervisor layer DMZ ANYWHERE CORE INFRASTRUCTURE 63
What if you could Enabling you to create DMZs anywhere, regardless of their location DMZ ANYWHERE DMZ DMZ Scalable and flexible Increase asset utilization CORE INFRASTRUCTURE Simplify management 64
Getting Started with Security and NSX
NSX Security Features Security Inherently secure infrastructure Micro-segmentation Distributed firewall for inter / intra zone segmentation Rules based on IP, MAC, VM attributes, vcenter & external context Secure end user VDI security with NSX distributed firewall context based on active directory Guest introspection for anti-virus, malware protection DMZ for PCI, HIPAA and other compliance Guest introspection for anti-virus, malware protection, 3 rd party FW, IPS/IDS DMZ anywhere
Getting Started with NSX Security 1 4 Run Virtual Network Assessment Run Application Rule Manager Deploy VRNI to understand current state of infrastructure based on flow analysis No need to install NSX yet! ARM analysis can be used to analyze posture of your apps and automatically create new rules Build a microsegmentation policy 2 Deploy NSX 5 Micro-segment and monitor Install NSX bits and prepare hosts to deploy NSX distributed firewall. No changes to your existing infrastructure. Hint you can automate this! Repeat for other apps, send logs to syslog and monitor your apps Microsegmentation done! 3 Create Infrastructure DFW Rules Use data from Virtual Network Assessment to build firewall policy for core services like DNS, syslog, AD and more. Gives apps access to core services
Security in the DC with NSX What is Zero Trust?
Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation Distributed Firewall applied to each vnic Controlled Communication or Isolation between workloads on the same or different VLAN East West Filtering by NSX Distributed Firewall Existing physical firewall only handles North South communication Traffic discovery to determine required flows/rules Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW Physical Router
Deploying NSX Micro-Segmentation Deployment Options: Distributed Segmentation and Network Overlays Logical Switches based on overlays to isolate/segment independent of the underlying physical network Distributed Logical Routers to optimize East West Routing Edge Services Gateway can also be leveraged for N-S routing, N-S firewalling, load balancing, NAT, VPN Distributed Firewall providing Controlled Communication or Isolation between workloads on the same or different Logical Switch (overlay) Advanced Partner Services can be inserted at each vnic Stateful DFW Policy Controlled Communication STOP STOP Stateful DFW VPN DLR / ESG
Deploying NSX Micro-Segmentation Deployment Steps: Deploying NSX Manager, VDS and Host Prep Pre-existing and Management and Compute clusters can be leveraged NSX Manager deployed in the Mgmt cluster and peered with the existing vcenter server VDS is required for all compute clusters Host preparation installs NSX VIB to all hosts in a cluster Non-disruptive operation Distributed Firewall is enabled on every VM with a default allowall policy Management Cluster VDS Compute Clusters VLAN 10 VLAN 20 VLAN 30 L3 L2
Policy Creation
Micro-Segmentation Policy Creation Firewall Rule Table and Service Composer Firewall Rule Table Service Composer Analogous to typical Firewall rule table Provides overview of all rules in the system DFW Rules and Network Introspection Sections enable rule grouping UI and API Driven One or more Security policies can be applied to Security Groups Policies define DFW rules and Service Chain. Abstraction enables efficient service deployment Independent policies are combined specific to each workload UI and API Driven
Micro-Segmentation Policy Creation Policy and Grouping Methodology Security Groups allow abstraction and grouping of workloads from the underlying virtual infrastructure End-Users and Cloud Admins are able to define application-centric security policies Security policies are applied to one or more security groups where workloads are members Security Tags are applied to Virtual Machines and can be used for dynamic Security Group membership Security Tag Virtual Machine Security Group Security Policy ST VM SG Members (VM, vnic) and Context (user identity, security posture) Guest Introspection, Distributed Firewall and Network Introspection Policies
Micro-Segmentation Policy Creation Dynamic Policy using Security Tags Example App1 Security Group Requirements Apply differentiated policy based on OS, Environment, Automate policy application for new appliations being provisioned Upon vra Blueprint deployment All VMs part of an application are placed into a new Security Group Every VM is tagged with multiple tags identifying: Function, Zone, OS, Environment and Tenant App1 Apache App1 - WLS App1 - ORADB DMZ_ PROD_ RHEL Apache TRUSTED_ PROD_ RHEL WLS RESTRICTED_ PROD_ RHEL ORADB
Micro-Segmentation Policy Creation Zero Trust Policy Model Used for Quarantine and/or Allow Rules Emergency Rules Infrastructure Rules Environment Rules Global Rules AD, DNS, NTP, DHCP, Backup, Mgmt Servers Rules between Zones Prod vs Dev, PCI vs Non PCI, Inter BU rules Inter-Application Rules Intra-Application Rules Default Rule = Deny Rules between Applications Rules between the app tiers or the rules or between micro-services VRNI /ARM / EM Whitelisting / Zero Trust
Micro-Segmentation Policy Creation Application Discovery - Methods and Tools Leveraging Existing Firewall Policy vrealize Network Insight NSX Application Rule Manager and Endpoint Monitoring vrealize Log Insight Firewall Log?
Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools Profile applications both on the wire and on the guest. Can be used on a per application basis. End-to-end visibility and rule creation/enforcement Empowers app team = visibility and rule creation streamlines deployment Drives whitelisting model default deny and open up the necessities Fast app operationalization
Micro-Segmentation Policy Creation NSX Micro-Segmentation Visibility and Planning Tools: Application Rule Manager Leverages flow monitoring to monitors all flows for select VNICs Flows are de-duplicated, correlated and filtered Optimized Flow tables are presented to users IP addresses/ports are replaced with objects Users can further optimize flow table Firewall rules are generated and can be published after review
Lab 04 Service Composer and Distributed Firewall Overview Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 235 through 343 Do not END your lab, in fact extend it
Lab 05 Intelligent Grouping Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 345 through 390 Do not END your lab, in fact extend it
Lab 06 User Based Security with Jumpbox Lab time: 45 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 392 through 460 Do not END your lab, in fact extend it Note: Don t forget to install guest introspection
Lab 07 Application Rule Manager Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for HOL-1803-05-NET Enroll in the lab Follow the lab steps in pages 462 through 504 Do not END your lab, in fact extend it Note: change default rule to allow disable internal 2 internal rule
Operations and Visibility
NSX Dashboard
VM Live Flow
L2 and L3 Trace Flow Test Connectivity through Logical and Physical paths Web1 Web2 Overview Logical Switch VM IP Packet 1 2 5 VM Ability to trace a packet through Virtual and Physical network Shows where the packet is dropped Supports L2 and L3 Trace flow User defined Packet format 3 4 Can we initiated by UI or API Benefits Helps Identify problems in Virtual or Physical network Enhanced supportability and troubleshooting User defined packet header helps validate and troubleshoot FW rules
Central CLI NSX Central CLI Management Plane Control Plane Data Plane NSX Controllers NSX Mgr. Centralized read-only commands to fetch run-time data across multiple components Available on NSX Manager in user mode Leverages existing communication channels between components Can be consumed by custom scripts via APIs vsphere ESXi Hosts 88 NSX Edge
Log Insight NSX Dashboards
Log Insight NSX Dashboards
Monitoring Network Connection and Traffic Functionality overview Source: https://docs.vmware.com/en/vmware-vsphere/6.5/com.vmware.vsphere.networking.doc/guid-6db73f20-c99a-43d4-9ee0-3277974ef8bf.html 91
VMware VDS Packet Capture Source: https://docs.vmware.com/en/vmware-vsphere/6.5/com.vmware.vsphere.networking.doc/guid-5ce50870-81a9-457e-be56- C3FCEEF3D0D5.html 92
VMware VDS Packet Capture pktcap-uw utility 93
VMware VDS Packet Capture pktcap-uw utility ESXi 5.5 (and later) enhanced packet capture tool (pktcap-uw) built-in 5 important packet caputure points: 1. Capture packet as it leaves/enters VM 2. Capture traffic after NSX DFW 3. Capture VXLAN encapsulated traffic 4. Capture traffic after NSX DLR routing 5. Capture NSX control plane traffic Source: http://blog.ipcraft.net/packet-capture-nsx-troubleshooting-pktcap-uw/ Source: http://www.yet.org/2014/09/nsxv-troubleshooting/ 94
VMware VDS Packet Capture Analyze capture file in Wireshark For better and easier analysis of the packet captures, SCP the two pcap files from the ESXi host to a PC Open one of the files with Wireshark and then click Merge from File menu Then, choose the other pcap file. The merged captures are now both shown in Wireshark 95
vrealize Network Insight vrni
Intelligent Operations for Software-Defined Datacenter Application vrealize Network Insight vrealize Business for Cloud 1 vrealize Operations 1 vrealize Log Insight 2 Network & Security Compute Storage Hybrid Cloud Physical/ Virtual/ Cloud Environment 1 vrealize Suite components 2 Included with vrealize Suite and ships with NSX 97
vrealize Network Insight Transformative Operations for NSX based Software-Defined Data Center Plan Micro-segmentation Deployment and Audit Security Compliance Optimize Network Performance with 360 0 Visibility & Analytics Across Virtual, Physical and Cloud Offers Best Practices, Health and Availability of NSX Deployment Source: https://www.youtube.com/watch?v=p1hfxq7il3o 98
East-West Traffic Analysis East-West Traffic Flow Analysis Breakdown of Data Center Traffic by East- West, VM-to-VM, VM-to-Physical, Switched, Routed, etc. Get Detailed Flow stats behind each number 99
Security Policy Automation Micro-Segmentation Discover vcenter and NSX constructs (folders, clusters, vlans, security tags) Automated Security Groupings Based on vcenter and NSX Constructs, Workload Characteristics, Ports, Common Services Recommended Security Policies / Firewall Rules (Zero-Trust Model) See Network Traffic Per Host, Per VM Export as CSV 100
Data Paths Across Overlay And Underlay Connectivity Graphs VM to VM, VM to Physical, VM to Internet Hop-by-Hop Path across Overlay (LDRs, Edge Gateways) and Underlay (Physical VDCs & VRFs). See V-To-P Boundary Correlated Problems And Performance Metrics Across Virtual and Physical See Effective Firewall Rules and Security Policies across NSX and PANW in Service- Chained Environment NSX Firewall PANW Virtual FW VXLAN Converged Infrastructure (Ex: UCS) VLAN PANW Physical Firewall Physical Network Switch, Router 101
Simple & Contextual Search Hi Shiv, what do you need help with today? Single pane of glass between virtual & physical Google-like search for ease of use Time aware search (go back in time) Fewer clicks to find and identify issues Simplified interface, reduce learning curve across admin teams 32
NSX Infrastructure Monitoring and Best Practices Checks Configuration, Health and Consistency Validation VTEP Level Misconfigurations VTEPS Underlay Mapping Checks Netcpa Health Hosts Version Validation LDR and Edge Config Issues Routing Misconfigurations/ Issues between LDR, Edge and Physical Routers 103
Lab 08 360 Visibility across Virtual and Physical Lab time: 30 minutes To access this lab perform the following steps: Log in to the VMware Hands-On Labs Web site Search for the vrni Lab HOL-1829-01-NET Enroll in the lab Follow the lab steps in pages 58 through 100
Additional Resources Websites http://virtualizeyournetwork.com/ http://www.vmware.com/products/nsx/ VMware Hands on Labs (http://labs.hol.vmware.com) HOL-1803-01-NET - VMware NSX - Getting Started HOL-1803-02-NET - VMware NSX - Distributed Firewall and Micro-Segmentation HOL-1803-03-NET - VMware NSX - Operations and Visibility HOL-1825-01-NET - VMware NSX - Advanced Consumption HOL-1825-02-NET - VMware NSX and SRM - Active-Standby Solution HOL-1826-01-NET - VMware NSX-T - Getting Started HOL-1826-02-NET - VMware NSX-T with Kubernetes HOL-1841-01-NET - Secure Horizon with Trend Micro and NSX HOL-1842-01-NET - VMware AppDefense - Secure Datacenter Endpoints HOL-1823-01-NET - Palo Alto Networks VM-Series on NSX - Next-Gen Security for your SDDC HOL-1824-01-NET - Check Point vsec and NSX - Advanced SDDC Security NSX for vsphere Design Guide https://communities.vmware.com/docs/doc-27683
Free ebooks VMware NSX Micro-segmentation: Day 1 Guide VMware NSX Micro-segmentation: Day 2 Guide Operationalizing VMware NSX Automating NSX for vsphere with PowerNSX https://blogs.vmware.com/networkvirtualization/2017/08/announcing-three-new-vmware-nsx-guides.html/ 106
Thank you!